Hi folks,
It’s been a while, but I have a good excuse – we have a newborn in the house and my lack of sleep has meant I’ve only recently regained the ability to put together a coherent thought. Or maybe not. I’m not sure – we’ll see how this goes.
For my wife and I, late nights spent trying to calm a baby while staying awake ourselves often means watching TV. We don’t watch much TV otherwise, so that means we have all sorts of entire, multi-season shows we can binge watch. With our last kid, the show of choice was Breaking Bad.
If you haven’t watched it, you should – it’s awesome.
Either way, the main character adopts the nom de guerre of Heisenberg. If you’re like me, you have a vague recollection of Heisenberg’s Uncertainty Principle from high school chemistry. Or was it physics? Maybe English lit? Regardless, some googling helped refresh my memory.
Werner Karl Heisenberg was a German physicist and one of the pioneers of quantum mechanics. In 1927, he introduced his uncertainty principle which, in layman’s terms, states that when measuring the location and momentum of a particle, the precision of those measurements are inversely proportional to one another. Meaning that the better your measurement of position, the worse your measurement of momentum. But that doesn’t make sense, right? You’d think a really good microscope would provide more precise measurements all around.
Heisenberg – clearly tired of people asking him stupid questions like the above – developed a thought experiment to demonstrate his argument. It’s called the Heisenberg Microscope, and it basically says in order to measure the location of a particle, you’re going to use a technique that impacts its momentum. Vice versa for measuring momentum.
It’s a concept strongly founded in the Observer Effect which says that simply observing a situation changes the outcome. This is a fun theory, and it’s pretty applicable outside of the hard sciences. The idea in management science is this – by measuring certain performance metrics, you can improve the performance of an individual or organization. There a plenty of studies supporting this, but one from 2011 in the International Journal of Operations and Production Management describes three distinct effects of performance management:
- Trigger – revealing a need for change in a process or activity (read: are our goals the right ones?)
- Guidance – improving the alignment between what a process plan says should take place and what actually does that place (read: are we doing what we say we’ll do?)
- Intensification – increasing the frequency of process assessments (read: do our processes actually support our goals?)
The benefits of these kinds of effects within security are obvious. Rarely does everybody naturally agree on the objective of a security program – think of the cliché scenario of a infosec professional who wants to lock everything down to a nearly unusable state vs the business unit representative who wants easy access to the entire internet. Anything that drives an examination and consensus building around those goals – a trigger effect – lays the groundwork for better inter organizational relationships and better focused efforts for the security program. Similarly, ensuring a tight relationship between those goals and our processes (intensification) – and making sure we follow those processes (guidance) – is critical to maintaining a secure environment.
So while Heisenberg says we can’t get an accurate performance assessment since our measurement itself will change the results, it sounds like that’s a good thing. Let’s select some metrics for each of our security programs and start monitoring!
Rex